[Date Prev][Date Next] [Chronological] [Thread] [Top]

no TLS connections



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello everybody,
				
I am quite new to ldap and i am testing locally before setting up a new
server. Unencrypted connections are all right but i have no success with
TLS connections.

My box, a laptop, is a Debian Etch, the openldap version is 2.3.30 (the
packages installed are ldap-utils, libldap-2.3-0, libldap2 and slapd).

If needed, i can give more details, but basically i followed these steps:
1) a. set up a local certification authority (CA)
   b. created a certificate for the ldap server, signed by my CA; I took
care that the Common Name is the server FQDN.
2) a. In /etc/default/slapd, i wrote
SLAPD_SERVICES="ldap://arwen.grenier.ambre:389/
ldaps://arwen.grenier.ambre:636/" (where arwen.grenier.ambre is my
laptop FQDN)
   b. In /etc/ldap/slapd.conf, accordingly to where my files are, i wrote:
	TLSCACertificateFile    /etc/ldap/certificates/cacert.pem
	TLSCertificateFile      /etc/ldap/certificates/servercert.pem
	TLSCertificateKeyFile   /etc/ldap/certificates/serverkey.pem
	TLSVerifyClient         never
   c. In /etc/ldap/ldap.conf, i wrote:
	TLS_CACERT      /etc/ldap/certificates/cacert.pem
	TLS_REQCERT     never

I have read in openldap admin guide that the TLS_REQCERT default value
is "demand" but it isn't compulsory is it ?

the request  ldapsearch -H ldap://arwen.grenier.ambre -x -D
"cn=root,dc=irem,dc=univ-lille1,dc=fr" -w secret -ZZ Â seems all right
as it returns all the directory entries but in syslog (i put Âloglevel
15Â in slapd.conf) i have the following (i added some comments to easily
spot the possible errors):

Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: >>>
slap_listener(ldap://arwen.grenier.ambre:389/)
Apr 18 23:15:25 localhost slapd[6727]: daemon: listen=6, new connection
on 11
Apr 18 23:15:25 localhost slapd[6727]: daemon: added 11r (active)
listener=(nil)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_extended
Apr 18 23:15:25 localhost slapd[6727]: do_extended:
oid=1.3.6.1.4.1.1466.20037
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_extended: err=0 oid= len=0
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=1
tag=120 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): unable to
get TLS client DN, error=49 id=8
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_bind
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<cn=root,dc=irem,dc=univ-lille1,dc=fr>,
<cn=root,dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: do_bind: version=3
dn="cn=root,dc=irem,dc=univ-lille1,dc=fr" method=128
Apr 18 23:15:25 localhost slapd[6727]: ==> bdb_bind: dn:
cn=root,dc=irem,dc=univ-lille1,dc=fr
Apr 18 23:15:25 localhost slapd[6727]: do_bind: v3 bind:
"cn=root,dc=irem,dc=univ-lille1,dc=fr" to
"cn=root,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=1 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=2
tag=97 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
### PROBLEM ???
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=11 (Resource temporarily unavailable)
###
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_search
Apr 18 23:15:25 localhost slapd[6727]: >>> dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: <<< dnPrettyNormal:
<dc=irem,dc=univ-lille1,dc=fr>, <dc=irem,dc=univ-lille1,dc=fr>
Apr 18 23:15:25 localhost slapd[6727]: SRCH
"dc=irem,dc=univ-lille1,dc=fr" 2 0
Apr 18 23:15:25 localhost slapd[6727]:     0 0 0
Apr 18 23:15:25 localhost slapd[6727]:     filter: (objectClass=*)
Apr 18 23:15:25 localhost slapd[6727]:     attrs:
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: => bdb_search
Apr 18 23:15:25 localhost slapd[6727]:
bdb_dn2entry("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: search_candidates:
base="dc=irem,dc=univ-lille1,dc=fr" (0x00000056) scope=2
Apr 18 23:15:25 localhost slapd[6727]: =>
bdb_dn2idl("dc=irem,dc=univ-lille1,dc=fr")
Apr 18 23:15:25 localhost slapd[6727]: => bdb_presence_candidates
(objectClass)
Apr 18 23:15:25 localhost slapd[6727]: bdb_search_candidates: id=-1
first=1 last=171
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <= entry_decode(dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: entry_decode: "cn=admin,dc=nodomain"
Apr 18 23:15:25 localhost slapd[6727]: <=
entry_decode(cn=admin,dc=nodomain)
Apr 18 23:15:25 localhost slapd[6727]: => bdb_dn2id("domain")
Apr 18 23:15:25 localhost slapd[6727]: <= bdb_dn2id: get failed:
DB_NOTFOUND: No matching key/data pair found (-30990)
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
[ ... more search results ... ]
Apr 18 23:15:25 localhost slapd[6727]: => send_search_entry: conn 8
dn="uid=arlette.lengaigne,ou=personnes,dc=irem,dc=univ-lille1,dc=fr"
Apr 18 23:15:25 localhost slapd[6727]: <= send_search_entry: conn 8 exit.
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: conn=8 op=2 p=3
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_result: err=0
matched="" text=""
Apr 18 23:15:25 localhost slapd[6727]: send_ldap_response: msgid=3
tag=101 err=0
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on:
Apr 18 23:15:25 localhost slapd[6727]:  11r
Apr 18 23:15:25 localhost slapd[6727]:
Apr 18 23:15:25 localhost slapd[6727]: daemon: read activity on 11
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11)
Apr 18 23:15:25 localhost slapd[6727]: connection_get(11): got connid=8
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): checking for
input on id=8
Apr 18 23:15:25 localhost slapd[6727]: ber_get_next on fd 11 failed
errno=0 (Success)
Apr 18 23:15:25 localhost slapd[6727]: connection_read(11): input
error=-2 id=8, closing.
Apr 18 23:15:25 localhost slapd[6727]: connection_closing: readying
conn=8 sd=11 for close
Apr 18 23:15:25 localhost slapd[6727]: connection_close: deferring
conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: activity on 1 descriptor
Apr 18 23:15:25 localhost slapd[6727]: daemon: waked
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=6
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: daemon: select: listen=7
active_threads=0 tvp=NULL
Apr 18 23:15:25 localhost slapd[6727]: do_unbind
Apr 18 23:15:25 localhost slapd[6727]: connection_resched: attempting
closing conn=8 sd=11
Apr 18 23:15:25 localhost slapd[6727]: connection_close: conn=8 sd=-1
Apr 18 23:15:25 localhost slapd[6727]: daemon: removing 11

I am quite sure that my setup is not totally correct as, for instance, i
successfully connect to the directory from phpLDAPadmin web interface
without TLS, but can't connect with TLS (or ldaps).

And another question :-)
What's the story with TLS_CIPHER_SUITE in ldap.conf, and TLSCipherSuite
in slapd.conf ? Do they have to be set to some value ? When i read the
admin guide, i don't understand if there is a default value or not, and
there is nothing concerning these directives in the Faq-O-Matic TLS entry.

thanks for your help.
- --
Fabrice Eudes               -o)
Clà PGP 88AC3A66            /\\
Utilisateur Linux nÂ245401 _\_V
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGJo2RC7KnmYisOmYRAlqUAJ9hyv9dwGIVLOXyN7Cvjy7MRKCyfQCg1ZSL
Gti/xrhf/V1yCuQnZOELHRI=
=qTSn
-----END PGP SIGNATURE-----